China is increasingly suspected of involving “white hat” hackers–who typically identify cybersecurity weaknesses–in cyberattacks. This development is believed to be boosting China’s offensive capabilities by utilising its top private hackers, according to a report by Nikkei Asia. The investigation conducted by Nikkei Asia and other organisations, reveals that since the introduction of mandatory vulnerability reporting to the Chinese government in 2021, the number of attacks with suspected Chinese involvement has witnessed a sharp rise.
White hats, who work for security companies or as freelancers, are responsible for bug hunting. They identify vulnerabilities, report them to developers, and receive compensation. Nikkei Asia further reported that developers issue patches and request users to install them to enhance security. In September 2021, concerns emerged in Europe and the US about the exploitation of vulnerabilities before patches could be deployed.
Later that year, Chinese media reported that the Ministry of Information and Technology had suspended Alibaba Group Holding’s cloud computing operations from participating in a cybersecurity partnership for six months due to a failure to report issues. In collaboration with cybersecurity firm Trend Micro, Nikkei Asia collected data on 222 software vulnerabilities identified by the US government and others as being exploited by hacker groups believed to be linked to the Chinese government. These groups are suspected of using these vulnerabilities to infiltrate networks.
Katsuyuki Okamoto, a cybersecurity expert at Trend Micro, told Nikkei Asia, “In the past, the main method of cyberattack was phishing, involving tricking victims into downloading malware via email. Now, vulnerability attacks are mainstream.” A search on OTX (Open Threat Exchange), a collaborative platform developed by AlienVault (now part of AT&T Cybersecurity) for sharing and accessing threat intelligence, found a total of 1,047 attacks exploiting these vulnerabilities.
Chinese white hats, known for their bug-hunting skills, are highly regarded worldwide. In 2021, when the vulnerability reporting obligation was introduced, there were 16 reported cases. This number surged to 267 in 2022 and nearly doubled again to 502 in 2023. The current year is following a similar trend, with 242 cases reported in the first half.
Taiwan-based cybersecurity firm TeamT5, which examined the leaked files, reports that i-Soon has employed numerous self-identified white hat hackers. However, a significant portion of their work has been commissioned by Chinese state security.